Publish npm package from auto release

[eiei114]

Summary

• run npm publish inside auto-release.yml after a new version tag/release is created
• mirror the existing publish.yml steps instead of inventing a separate release path
• add job-level OIDC permission and publish concurrency keyed by tag

Validation

• npm run check
• compared against sibling OSS publish.yml / auto-release.yml patterns in this workspace

Summary by CodeRabbit

• Chores
  • Improved release automation: added a gated publish step that only runs for confirmed releases and skips publishing if the package version already exists to prevent duplicates.
  • Added safer release coordination with tag-based concurrency and repository checkout at the release revision to ensure consistent published artifacts.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 7bf26f21-fecf-4bd6-83e0-09d510d4f3f5

📥 Commits

Reviewing files that changed from the base of the PR and between 121d74d and 37cedca.

📒 Files selected for processing (1)

• .github/workflows/auto-release.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/auto-release.yml

---

📝 Walkthrough

Walkthrough

The auto-release workflow adds job outputs released and tag to the release job and a new conditional publish job that checks out the release tag, sets up Node.js, validates the package (if scripts exist), verifies npm for the target version, and publishes only when the version is not already present.

Changes

Auto-release with npm publishing

Layer / File(s)	Summary
Release job outputs .github/workflows/auto-release.yml	The release job exposes released and tag as outputs computed by the check step and pins actions/checkout for that job.
Publish job entry and checkout .github/workflows/auto-release.yml	Adds a publish job conditional on needs.release.outputs.released == 'true', with concurrency keyed by the release tag and checkout at ref: ${{ needs.release.outputs.tag }}.
Node setup and dependency install .github/workflows/auto-release.yml	publish sets up Node.js 24, configures npm registry, and installs dependencies via npm ci when package-lock.json exists, else npm install, else logs no install.
Validation script detection .github/workflows/auto-release.yml	publish runs the first available validation script in package.json in order: check, test, then typecheck; otherwise it logs no configured validation.
npm registry check and publish gating .github/workflows/auto-release.yml	publish runs npm view ${package.name}@${package.version} to decide whether to skip publishing (sets skip output) and runs npm publish --access public only when not skipped.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I hopped through YAML under moonlit ops,

Release whispers tag — the publish job hops,
It checks, it tests, then peeks at npm's door,
If version's new, it sends the package o'er,
A tiny rabbit cheers: "Deployed once more!"

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately describes the main change: adding npm package publishing functionality to the auto-release workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci-auto-release-npm-publish

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/auto-release.yml:
- Around line 100-111: The current check using npm view ("Skip already published
version" step, id: published) treats any npm view failure as "not published" and
may proceed to publish on transient registry/auth errors; change the script to
run npm view and capture its exit code and stderr (using name and version
variables), set skip=true only when npm view exits 0, set skip=false only when
npm view exits non-zero and stderr clearly indicates "404" / "Not Found" / E404
(package/version missing), and otherwise fail the step (exit 1) to abort the
release on registry lookup/auth errors rather than attempting publish; ensure
you still echo the correct "skip=true"/"skip=false" to $GITHUB_OUTPUT.
- Around line 69-74: The workflow currently uses actions/setup-node@v4 with the
unsupported input package-manager-cache: remove the package-manager-cache line
from the Setup Node.js step or upgrade the action to actions/setup-node@v5 (or a
v5+ pin) if you intend to control package-manager-cache; update the uses entry
(actions/setup-node@v4 → actions/setup-node@v5) when choosing the upgrade and
keep node-version: 24 and registry-url unchanged.
- Around line 64-73: Replace floating tags for GitHub Actions with immutable
SHAs: update the workflow steps named "Checkout" and "Setup Node.js" to use the
specific commit SHAs instead of actions/checkout@v4 and actions/setup-node@v4
(and do the same for the release-job checkout if present). Locate the steps by
the step names "Checkout" and "Setup Node.js" or the current "uses:
actions/checkout@v4" and "uses: actions/setup-node@v4" lines, fetch the
corresponding stable commit SHAs from each action's GitHub repository, and
substitute the `@v4` tags with those SHAs to pin the actions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: e80878e3-62f2-4e23-919e-589fdd766c88

📥 Commits

Reviewing files that changed from the base of the PR and between 2494a88 and 121d74d.

📒 Files selected for processing (1)

• .github/workflows/auto-release.yml

[coderabbitai]

Actionable comments posted: 0